CTI Roundup: Realst Malware targets MacOS, Infostealer Malware Sees Exponential Growth

In this week’s roundup, CTI dives into the Realst malware that is being used in a large campaign targeting Apple computers. Next up, CTI highlights a report about how threat actors are selling infostealing malware logs on the dark web and Telegram channels. Finally, CTI provides an overview of a new Nitrogen initial access malware campaign that impersonates legitimate software to infect victims with Cobalt Strike and ransomware payloads.

1. Realst infostealing malware aims for macOS Sonoma ahead of public release

SentinelOne recently analyzed 59 malicious Mach-O samples of the Realst infostealer malware that is being used in a large campaign targeting Apple computers.

Researchers found some samples of this new Rust malware already targeting Apple’s forthcoming OS release, macOS 14 Sonoma. The malware infects both Windows and macOS users via fake blockchain games that are promoted on social media.

Realst distribution

The Realst infostealer is distributed via malicious sites that advertise fake blockchain games like Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend.

Each version of the fake game is hosted on its own website with its own associated Twitter and Discord accounts. Threat actors have also been observed approaching potential victims directly through direct messages on social media.

About Realst malicious installers

Some versions of the infostealer are distributed by Evolion.pkg, which is a .pkg installer that contains a malicious Mach-O and three related scripts.

• One script is a cross-platform Firefox infostealer.
• Another script is a copy of the open-source project chainbreaker. This script extracts passwords, keys, and certificates from the macOS keychain database.
• The third script is a barebones uninstall script with no real malicious behavior.

Other versions of Realst are distributed via .dmg disk images. Developers have been observed packaging the malware in Electron apps and native macOS application bundles.

Some samples were codesigned with a specific Apple Developer ID which has since been revoked. Other samples are ad-hoc cosigned and will continue to launch since these signatures cannot be revoked remotely.

Dynamic analysis of Realst variants

From a behavioral perspective, Realst samples look similar across all variants. At times they use different API calls and have some variant dependencies. But ultimately, they all exfiltrate browser data, crypto wallets, and keychain databases. Realst targets the Firefox, Chrome, Opera, Brave, and Vivaldi browsers. It can also target Telegram.

Most of the Realst variants attempt to grab the user’s password via osascript and AppleScript spoofing and perform checks to confirm the host device is not a virtual machine. The infostealer collects data and drops it into a folder named “data.” This folder appears in one of several locations depending on the version of the malware. If the malware is able to access screen capture permission, it also saves a screenshot of the victim’s desktop to the same file location.

Static analysis of Realst variants

SentinelOne identified 16 different variants across 59 total Realst samples and divided them into four major families. However, there are many overlaps that would allow them to draw the line differently. That said, they chose their breakdown taxonomy based on string artifacts that would aid threat hunters in identification and detection.

• Variant family A: 26/59 samples fall into variant A. The defining characteristic of these variants is the inclusion of whole strings related to AppleScript spoofing. AppleScript spoofing is used in these variants to grab the user’s admin password in clear text. It uses the “hidden answer” option to prevent the user from seeing the characters they type by replacing them with bullet points. In the background, the password is captured and logged in clear text by the AppleScript dialog box. These samples also include full strings related to anti-analysis through VM detection in the form of hw.model.
• Variant family B: 10/59 samples fall into variant B. These variants are distinctive because they break up the strings into smaller units, likely to evade simple static detection. Outside of this, these samples are very similar to variant A.
• Variant family C: 7/59 samples fall into variant C. These variants are distinctive in that it introduces a reference to chain breaker within the Mach-O binary.
• Variant family D: 16/59 samples fall into variant D. In this variant, password scraping is instead handled by a prompt in the Terminal window. In some cases, the malware also used the scraped password to elevate privileges with the sudo command and install the Python pycryptodome package.

Realst prepares for macOS 14 Sonoma

Roughly one-third of the samples identified by SentinelOne contained strings targeting macOS 14 Sonoma.

The string artifacts appeared in half of variant A samples and all variant B samples, but not in variant C or D. At this point, it’s not clear how the difference between Sonoma and Ventura would impact the execution of Realst.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Considering how many samples of Realst have been identified and the variations between these samples, we can tell that the threat actor has invested a great deal of effort into the infostealer.

We can already see the threat actor is planning and preparing for Apple’s forthcoming OS release. It’s probable that we would see additional variants of Realst between now and the release of Sonoma as the threat actor appears to be continually modifying its malware.”

2. The exponential growth of infostealer malware: Over 300,000 corporate credentials for sale

Cybersecurity company Flare recently analyzed 20 million infostealing malware logs for sale on the dark web and Telegram channels. Their analysis reveals roughly 375,000 logs containing access to business credentials for popular applications like Salesforce, QuickBooks, AWS, Google Cloud, DocuSign, and others.

The use of infostealer malware has been exponentially growing, making it one of the top trends across the industry for the past few years. Various infostealer variants collect data from compromised devices and then package and sell these stealer logs across the dark web and Telegram. Flare’s analysis examines multiple data sets, and totals more than 19.6 million stealer logs.

The tiers of infostealer access

Flare breaks down stealer logs into three tiers based on the type of credentials contained within the log and the type of access the threat actor is likely looking to gain by leveraging those credentials.

Tier 1 logs: High-value corporate credentials

People often save passwords in their browsers for ease of use. When an infostealer malware infects a device, it will simultaneously compromise all credentials saved in the browser. This can include CRMs, credentials for RDP, VPN, SaaS application access, and more. Threat actors value corporate credentials for obvious reasons. Initial access brokers (IABs) also often target these credentials to resell them on dark web forums.

To determine if an infected device had corporate access at scale, Flare identified certain indicators that they believe are likely correlated with corporate access.

• Corporate IT infrastructure: Flare began by searching logs for logins that had access to AWS Management and Google Cloud Consoles. This resulted in 181,785 logs of which 179,411 were AWS console credentials. About 75% of these credentials appeared in both public and private Telegram rooms, 24% on Russian Market, and less than 1% on Genesis Market.
• Business contacts and financial applications: Another classification used by Flare was business financial applications like Intuit QuickBooks and DocuSign. 80,099 logs were identified with access to one of these applications, 64,000 of which were DocuSign credentials.
• CRM and customer data applications: Flare reviewed two of the larger CRM providers including Salesforce and Hubspot, and found 66,000 logs containing access to CRM in total — about 23,000 of which contained access to Salesforce accounts.
• OpenAI and ChatGPT: Flare also searched for stealer logs containing openai[.]com] and found over 200,000 logs.

Tier 2 logs: Banking and financial services

These logs include credentials for major banks that are in turn used by threat actors to steal money from consumer accounts. These are sold for an average of $112 on Genesis Market compared to an average of $15 across all logs.

According to Flare, these are the second most highly valued type of stealer logs. Flare analyzed 213 financial services companies to determine what percentage had logs with their domains included in a stealer log and how the price for these logs differ. They found that the average infected device for sale on Genesis Market that included a financial services login was listed for about $112, compared to only $14 for those without. The top 50 US banks have about 200,000 stealer logs associated with consumer banking logins.

Tier 3 logs: Consumer applications

Threat actors use these logs to access consumer VPN applications, streaming services, and other applications. These are the lowest-valued logs, and typically sell for $10 to $15 per log file.

Flare analyzed the 50 most commonly appearing domains in their stealer log sample. Google, Gmail, Facebook, and Microsoft rank at the top of the list and commonly have associated stealer logs. Amazon, Netflix, Instagram, PayPal, and several others also neared the top of the list.

Where are stealer logs distributed?

Stealer logs are distributed across four categories including public Telegram log channels, private Telegram channels, Russian Market, and Genesis Market.

• Public Telegram “logs” channels are publicly available Telegram channels that provide terabytes of stealer logs per month. This primarily includes tier 3 logs.
• Private Telegram channels are hosted by threat actors to distribute large quantities of logs with a monthly subscription model to monetize access. These are typically higher-value logs, and the channel is invitation-only and typically limited to only 25 to 30 users. 
• Russian Market is a dark web marketplace that specializes in the sale of access to devices and information. The forum prices all log equally at $10 per log.
• Genesis Market operated as a clear web market before its recent takedown by law enforcement. It more recently operated entirely on Tor. This forum provided more structured and parsed log data and had an interface allowing threat actors to clone the browser fingerprint of a victim. Prices of logs on this forum varied based on the log.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“There have been numerous infostealer campaigns in the limelight in recent years, so it’s unsurprising that Flare’s research turned up such high counts of stealer logs across various platforms commonly used by threat actors.

Flare’s report does not get into the details of which logs came from which infostealer variant, which is likely due to the fact there are so many infostealers these days, with new variants emerging regularly. Even without this information, it’s eye-opening to see just how much money a threat actor makes off one single credential. This puts into perspective how lucrative these operations are for cybercriminals.”

3. Google Ads pushes new Nitrogen malware for ransomware attacks

Sophos released a report on a new Nitrogen initial access malware campaign which leverages malvertising and impersonates legitimate software to infect victims with Cobalt Strike and ransomware payloads. The campaign is primarily opportunistic and targets users searching on Google or Bing for specific IT tools.

About the Nitrogen malware family

Sophos uncovered a new initial access malware family called Nitrogen during its investigation. The name Nitrogen is derived from components of the debug information that was found in many of the samples, indicating that the developers refer to this project as Nitrogen or Nitronet.

The main components use the following class names: NitrogenStager, MsfPythonStager, NitronetNativeStager, and NitroInstaller.

The infection chain begins with malvertising via either Google or Bing ads. It attempts to lure victims to compromised WordPress sites or phishing pages. The sites often impersonate software distribution sites to trick users into downloading trojanized ISO installers. These installers then sideload the malicious NitrogenInstaller DLL, which contains a legitimate software app bundled with a malicious Python execution environment. The campaign drops a Meterpreter shell and Cobalt Strike Beacons onto the targeted system.

The campaign leverages Google and Bing pay-per-click ads to impersonate websites. It appears to target IT users, as the impersonated sites include AnyDesk, WinSCP, and Cisco AnyConnect VPN installers. One instance also leverages a trojanized installer for TreeSize Free.

• WinSCP example: When a user searched Google for WinSCP, a Google advertisement would pop up referencing “Secure File Transfer – for Windows” on a phishing page that impersonates guidance for system admins. When the user clicks the advertisement on this page, it redirects them to a fake download page for WinSCP and drops a malicious ISO file on the system.
• Cisco AnyConnect example: In addition to phishing pages, the threat actor also hosted malware on compromised WordPress sites. In one case they used a compromised site to mimic the legitimate Cisco download site for Cisco AnyConnect. The download link on this site would then redirect to a phishing page, delivering the malicious Nitrogen package.

DLL sideloading

When the victims download the trojanized installers, they drop as ISO images on the infected machine. These files then mount in Windows Explorer and can be mapped to a drive where the content will then be available. One of the files within the ISO image is the msiexec.exe Windows tool renamed to install.exe or setup.exe.

When this is executed, it will sideload the malicious msi.dll (aka the NitrogenInstaller) which is stored in the same image. In this campaign the threat actor uses DLL proxying by forwarding exported functions to the legitimate msi.dll.

NitrogenInstaller

The sideloaded msi.dll file, known as NitrogenInstaller, will drop a clean installer for the legitimate decoy application along with two Python packages — one being legitimate and one malicious. The legitimate Python package is needed to execute Python code later in the infection chain. It will also attempt to elevate its privileges by executing a UAC bypass which is common across various malware and ransomware families. The NitrogenInstaller DLL will then create a registry run key to establish persistence.

To load the NitrogenStager DLL in the malicious Python package, the threat actors leveraged DLL preloading. This takes advantage of Windows’ own DLL search order when an app attempts to load a library without specifying a full path. NitrogenStager is unable to execute Python scripts because its main function is replaced with malicious connect-back code.

C2 staging

The malicious connect-back code in the Py_Main function will run automatically upon execution. NitrogenStager is observed connecting to C2 servers using four different protocols: TCP, TCP over SSL, HTTP, and HTTPs. The package contains a separate script for each protocol, each of which can connect to the C2 server, decode responses, and execute them.

Meterpreter shell

The next stage script, downloaded by the NitrogenStager DLL, is a customization of a Meterpreter script. Once executed, the Python script establishes a Meterpreter reverse TCP shell, allowing the threat actors to remotely execute code on the system.

Manual sessions

In one case, the threat actors invoked several commands via the open session, switching to hands-on keyboard activity.

The manual commands retrieved a ZIP file from a C2 server. It also downloaded and executed an additional Python environment to invoke a series of Python scripts that result in the in-memory execution of Cobalt Strike beacons. Manual commands were also run to perform discovery and to enumerate the domain. The suspected manual sessions reference Python scripts that the threat actors downloaded from a Cobalt Strike C2 server.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Malvertsing is becoming quite popular among threat actors these days, so they must clearly find it to be a lucrative endeavor. This Nitrogen malware campaign, while still rather opportunistic, targets users looking for specific IT utilities that are commonly used in corporations.

Since these malvertisements tend to pop up as promoted results in search engines, CTI recommends avoiding clicking on promoted results — especially when looking for downloads.”

Do you have insight on these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.